vADC Forum

Reply
Occasional Contributor
Posts: 9
Registered: ‎01-22-2014
Accepted Solution

Forward client auth with certificate

Hi all,

we have a web site reversed on StingRay by a VirtualServer with SSL decryption and pool with SSL encryption, untill now all is easy to deploy.
UserBrowser  =>  SSL Decryption  =>  VirtualServer   =>  SSL Encryption  =>  Pool  =>  nodes

A new feature of our web site implements user authentication with client certificate and here is the problem: is it possible to forward request of client authentication with certificate from back-end to the real user through StingRay and return the response to the back-end server?

Node  =>  ClientCertRequest  =>  Pool  =>  VirtualServer =>  UserBrowser  =>  ClientCertResponse  =>  VirtualServer  =>  Pool  =>  Node

Regards

Stefano

Brocadian
Posts: 227
Registered: ‎11-29-2012

Re: Forward client auth with certificate

The only way to achieve this would be to validate the client certificate on the STM, then extract the SSL client certificate information using Traffic Script (details below) that has been validated and pass it in an HTTP header to the back end (ensuring that your traffic script to do this ensures the header is not already present - for security reasons!) .

Your back end application would need to have code to handle the HTTP header and allocate rights accordingly.

In your TrafficScript you would need to use ssl.clientCert() and http.addHeader():

http.addHeader( name, value )

Modifies the current HTTP request, adding an HTTP header with the supplied value. A case-insensitive lookup is first performed in order to find any existing headers. If a match is found, a duplicate header will be added to the message along with the new value.

# Add a host header if it is missing
if( !http.headerExists( "Host" ) ) {
   http.addHeader( "Host", "unknown" );
}


ssl.clientCert()

Returns the PEM encoded client certificate, or the empty string if the connection was not SSL-encrypted or if a certificate was not supplied.

# Display the client certificate data
$cert = ssl.clientCert();
log.info( "Certificate: " . $cert );
Occasional Contributor
Posts: 9
Registered: ‎01-22-2014

Re: Forward client auth with certificate

Hi Aidan,

we were looking for a way to pass through the cert authentication but there's no way to do that.

We already use custom header passing information to our web-app.

Thanks for your the response,

Regards,

Stefano

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.